Uncovering Major Security Flaws at McDonald’s: A Cautionary Tale
In today’s digitally driven landscape, even the largest corporations are not immune to cybersecurity threats. A recent incident involving McDonald’s reveals how a seemingly harmless quest for free chicken nuggets led to the discovery of serious vulnerabilities within the company’s digital infrastructure.
The Initial Discovery
On August 17, 2025, an independent researcher known as BobDaHacker detailed his findings after inadvertently breaching McDonald’s systems. What began as an investigation into their rewards app quickly spiraled into a broader audit of the company’s cybersecurity practices. Bob found issues ranging from insecure coding practices to internal tools that were improperly configured.
Hacked for Nuggets: The Rewards App Flaw
Bob’s journey began with a simple exploit in the McDonald’s mobile app. He discovered that the app failed to adequately validate rewards points on the server side, relying instead on client-side checks. This oversight allowed users to exploit the system, gaining free food without possessing enough points.
Despite his attempts to report this flaw, Bob felt brushed aside by an overworked engineer, leading to the assumption that the issue was patched without proper acknowledgment. However, this incident was just the tip of the iceberg.
The Feel-Good Design Hub Shortcomings
Continuing his investigation, Bob turned his attention to the Feel-Good Design Hub, a marketing platform reportedly used by McDonald’s across 120 nations. He found that the portal was protected by a client-side password—a practice no longer considered secure. Even after three months of transition, the updated login system still had vulnerabilities, including a loophole that allowed easy access to a registration form, which sent new passwords via plaintext email.
This internal portal hosted videos marked as "highly confidential," yet the weak security measures enabled unauthorized individuals to sign up and access sensitive corporate materials.
Uncovered APIs and Personal Data Exposure
While navigating through the Design Hub’s JavaScript code, Bob found an exposed API key and secret in plaintext. This breach could allow an attacker to impersonate McDonald’s infrastructure to send malicious notifications, paving the way for phishing attacks. Once he reported this issue, McDonald’s quickly rotated the keys but only after the potential threat had been identified.
Additionally, Bob stumbled upon Algolia search indexes that publicly exposed personal data of individuals who had requested access to internal systems. This included email addresses, names, and their request histories—information that should have remained confidential.
Accessing Executive Portals
Further probing yielded alarming results: crew-level employees had unimpeded access to various executive systems. Using a friend’s crew account, Bob tested multiple portals. One portal, identified as TRT (trt.mcd.com), allowed users to search for any McDonald’s employee worldwide, even executives, revealing personal email addresses in the process. More troubling was a feature that enabled crew members to retrieve sensitive employee details using names or IDs.
Moreover, the GRS (Global Restaurant Standards) tool, designed for franchise owners, contained administrative features that lacked proper authentication, allowing Bob to modify its homepage as a demonstration of the vulnerabilities.
Security Oversights in New Initiatives
Even McDonald’s latest experimental initiative, CosMc’s restaurant, showed signs of major security lapses. The promotional "new member" coupon could be reused indefinitely due to inadequate backend validation. Furthermore, Bob identified a serious flaw that allowed for arbitrary data injection into customer orders.
The Challenges of Responsible Disclosure
Despite identifying these critical vulnerabilities, reporting them proved to be exceptionally challenging. Initially, McDonald’s had a security.txt file in place to guide disclosures, but this was removed shortly thereafter. In a bid to reach the appropriate contacts, Bob cold-called McDonald’s headquarters, referencing security personnel he located on LinkedIn. After several attempts, he eventually connected with someone who validated his concerns.
The Aftermath
Eventually, McDonald’s addressed many of the highlighted issues, but the incident showcased significant gaps in their security protocols. As a result, Bob’s friend, who assisted in the endeavor, was reportedly dismissed, casting a shadow over the company’s handling of security matters. The absence of a clear security.txt file or a bug bounty program leaves ethical hackers at a loss in terms of how to report vulnerabilities.
This incident serves as a stark reminder of how critical cybersecurity is for large enterprises. Simple oversights in software design, such as failing to validate data properly, can lead to significant vulnerabilities. The importance of maintaining strong digital defenses and having protocols in place for responsible disclosure cannot be overstated.
